MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f99c8a02195d016caa7d648fbaeb9b19717ac5efa91caf20f9fa54898dbec5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ACRStealer

Vendor detections: 6

Intelligence 6 IOCs YARA 18 File information Comments

SHA256 hash:	4f99c8a02195d016caa7d648fbaeb9b19717ac5efa91caf20f9fa54898dbec5d
SHA3-384 hash:	e8a88fe80005a47e0bc74f1e3e2646601be738ac332f65b04318b7cbb602e4c9270b0a5ff8b8499882c372b7bbff2b66
SHA1 hash:	8f63a152895971216ab6d6dca59a13addd0d25dd
MD5 hash:	c2c31bcc36938378bd68fae4479b6423
humanhash:	social-pennsylvania-carolina-mobile
File name:	setup.zip
Download:	download sample
Signature	ACRStealer Create hunting rule
File size:	3'293'645 bytes
First seen:	2025-02-02 13:19:00 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	24576:kfztawdHahdZfc+SMiGYkDBQIPI4h1pMX7DKaexiBh9VipKCdbPm12+nOK:twdHJMtXDJRhgr4xiBh9VipK6m12mH
TLSH	T1B7E518D1C3D14CD05970C7E843FC682C9AA688E629DF5BD6ABBD65B2340960C79BF324
Magika	zip
Reporter	aachum
Tags:	ACRStealer file-pumped rezipped zip

iamaachum

https://bjjky.cfd/ =>https://mega.nz/file/fTZGhLQQ#BZcdVuf4zLTdH9jlgMtfqAZxDYz-EnxMa_0ZgIqmbTA

ACRStealer C2: mm.underarmpresumingsubscript.shop

Intelligence

File Origin

# of uploads :

# of downloads :

202

Origin country :

File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:	setup.exe
Pumped file	This file is pumped. MalwareBazaar has de-pumped it.
File size:	716'308'720 bytes
SHA256 hash:	34a4212ab10d2edc6a8894cc368807279fc7c200aec606c18eb6a0bf21350cb5
MD5 hash:	d3950aba808e5efaa8d498bd99d06237
De-pumped file size:	2'037'760 bytes (Vs. original size of 716'308'720 bytes)
De-pumped SHA256 hash:	2d8e86b6f8aa26d52f7aa5b4e269b43b4357b3414b46158dd8f5e9c084d6ceb8
De-pumped MD5 hash:	44c67893bb01e33ec1cb0a5a4013be34
MIME type:	application/x-dosexec
Signature	ACRStealer

Vendor Threat Intelligence

Gathering data

Result

Verdict:

Malicious

File Type:

ZIP File - Malicious

Link:

https://app.docguard.net/4f99c8a02195d016caa7d648fbaeb9b19717ac5efa91caf20f9fa54898dbec5d/results/dashboard

Behaviour

SuspiciousEmbeddedObjects detected

Gathering data

Verdict:

Suspicious

Labled as:

HEUR/Pumpar.Generic

Link:

https://www.hybrid-analysis.com/sample/4f99c8a02195d016caa7d648fbaeb9b19717ac5efa91caf20f9fa54898dbec5d

Result

Verdict:

UNKNOWN

Link:

https://labs.inquest.net/dfi/sha256/4f99c8a02195d016caa7d648fbaeb9b19717ac5efa91caf20f9fa54898dbec5d

Score:

Verdict:

Benign

File Type:

Result

Malware family:

n/a

Score:

9/10

Tags:

credential_access defense_evasion discovery spyware stealer

Link:

https://tria.ge/reports/250202-rwe64avre1/

Behaviour

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Browser Information Discovery

Program crash

System Location Discovery: System Language Discovery

Checks installed software on the system

Reads user/profile data of web browsers

Uses browser remote debugging

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.84

Link:

https://yomi.yoroi.company/submissions/4f99c8a02195d016caa7d648fbaeb9b19717ac5efa91caf20f9fa54898dbec5d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PK_PUMP_AND_DUMP Create hunting rule
Author:	Will Metcalf @node5
Description:	Walks Zip Central Directory filename entries looking for abused extension then checks for a file that's at least 25M and then check to see how much uncompressed size is vs compressed size

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	Suspicious_Latam_MSI_and_ZIP_Files Create hunting rule
Author:	eremit4, P4nd3m1cb0y
Description:	Detects suspicious .msi and .zip files used in Latam banking trojan campaigns.

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	weird_zip_high_compression_ratio Create hunting rule
Author:	Maxime THIEBAUT (@0xThiebaut)
Description:	Detects single-entry ZIP files with a suspiciously high compression ratio (>100:1) and decompressed size above the 500MB AV limit
Reference:	https://twitter.com/Cryptolaemus1/status/1633099154623803394